United  States  Senate 

WASHINGTON,  DC  20510 
May  6,2019 


The  Honorable  Joseph  Simons 
Chairman 

Federal  Trade  Commission 
600  Pennsylvania  Avenue,  NW 
Washington,  DC  20580 


Dear  Chairman  Simons: 

We  write  to  urge  the  Commission  to  act  swiftly  to  conclude  its  investigation  of  Facebook, 
and  to  move  to  compel  sweeping  changes  to  end  the  social  network’s  pattern  of  misuse  and 
abuse  of  personal  data.  This  investigation  has  been  long  delayed  in  conclusion  -  raising  the 
specter  of  a  remedy  that  is  too  little  too  late.  The  Facebook  consent  decree  violations  have  been 
blatant  and  brazen,  an  offensive  defiance  that  adds  insult  to  injury.  The  public  is  rightly  asking 
whether  Facebook  is  too  big  to  be  held  accountable.  The  FTC  must  set  a  resounding  precedent 
that  is  heard  by  Facebook  and  any  other  tech  company  that  disregards  the  law  in  a  rapacious 
quest  for  growth.  The  Commission  should  pursue  deterrent  monetary  penalties  and  impose 
forceful  accountability  measures  on  Facebook,  including  limits  on  the  use  of  consumer  data, 
managerial  responsibility  for  violations,  and  other  structural  remedies  to  stop  further  breaches  of 
consumer  trust. 

According  to  its  most  recent  financial  earnings  statement,  Facebook  has  estimated  that 
the  FTC's  investigation  will  cost  the  company  between  $3  billion  to  $5  billion.1  While  the 
reported  penalty  exceeds  previous  privacy  cases,  the  scope  and  nature  of  the  allegations  are  also 
unprecedented.  The  Cambridge  Analytica  incident  that  initially  prompted  the  investigation 
affected  the  personal  data  of  more  than  70.6  million  Americans,  and  Facebook  still  has  not  fully 
accounted  for  similar  misuse  by  other  third  party  applications.2  This  also  does  not  consider 
further  issues  that  the  FTC  may  find  in  its  investigation,  such  as  recent  reports  that  Facebook 
harvested  address  books  from  email  accounts  without  user  consent.3 

In  the  same  quarter  it  reported  the  FTC  fine,  Facebook  recorded  $15  billion  in  revenue, 
beating  market  expectations.  Considering  the  maximum  civil  penalty  amount  of  $42,530  per 
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violation,  the  rumored  number  is  a  bargain  for  Facebook.  Even  a  fine  in  the  billions  is  simply  a 
write-down  for  the  company,  and  large  penalties  have  done  little  to  deter  large  tech  firms.4 5  If  the 
FTC  is  seen  as  traffic  police  handing  out  speeding  tickets  to  companies  profiting  off  breaking  the 
law,  then  Facebook  and  others  will  continue  to  push  the  boundaries. 

Fines  alone  are  insufficient.  Far-reaching  reforms  must  finally  hold  Facebook 
accountable  to  consumers.  We  are  deeply  concerned  that  one-time  penalties  of  any  size  every 
few  years  are  woefully  inadequate  to  effectively  restrain  Facebook.  The  FTC  should  impose 
long-term  limits  on  Facebook’ s  collection  and  use  of  personal  information.  It  should  consider 
setting  rules  of  the  road  on  what  Facebook  can  do  with  consumers’  private  information,  such  as 
requiring  the  deletion  of  tracking  data,  restricting  the  collection  of  certain  types  of  information, 

curbing  advertising  practices,  and  imposing  a  firewall  on  sharing  private  data  between  different 
products,  including  Facebook’ s  ad  platform. 

As  important  as  remedies  on  Facebook  as  a  company  are,  the  FTC  should  impose  tough 
accountability  measures  and  penalties  for  individual  executives  and  management  responsible  for 
violations  of  the  consent  order  and  for  privacy  failures.  Personal  responsibility  must  be 
recognized  from  the  top  of  the  corporate  board  down  to  the  product  development  teams.  For 
decades,  the  FTC  has  understood  that  some  violations  require  naming  specific  executives  in  its 
consent  orders,  particularly  those  that  “formulates,  directs,  or  controls  the  policies,  acts,  or 
practices”  that  break  the  law.3  According  to  the  Washington  Post,  the  FTC  considered  naming 
Mark  Zuckerberg  in  its  previous  consent  order  but  ultimately  declined  to  do  so.6  If  the  FTC  finds 
that  any  Facebook  executive  knowingly  broke  the  consent  order  or  violated  the  law,  it  must  name 
them  in  any  further  action. 

It  is  also  time  for  the  FTC  to  learn  from  a  history  of  broken  and  under-enforced  consent 
orders.  The  FTC  has  an  opportunity  to  establish  a  new  set  of  requirements  for  consent  orders  that 
target  data  privacy  cases  and  provide  enduring  safeguards  for  consumers.  Such  measures  could 
include  the  direct  appointment  and  oversight  of  auditors  by  the  FTC,  strict  board  or  managerial 
liability  for  assessments  and  compliance,  restriction  on  data  practices  or  collection,  and  public 
disclosure  of  audits. 
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The  Facebook  investigation  will  be  a  defining  moment  for  the  Commission.  It  must  be 
seen  as  a  strong  protector  of  consumer  privacy  and  begin  to  set  out  a  new  era  of  enforcement,  or 
it  will  not  be  taken  as  a  credible  enforcer.  Action  is  overdue. 


Thank  you  for  your  attention  to  this  important  matter. 


Richard  Blumenthal 
United  States  Senate 


Sincerely, 


h  Hawley 

States  Senate 


